CVE-2026-44712

Name of the Vulnerable Software and Affected Versions pam usb versions prior to 0.8.7

Description An issue exists in the hardware authentication system for Linux where shell injection can occur. A crafted UUID in the configuration can lead to root remote code execution when the pamusb-conf --reset-pads command is executed. This payload can be injected during the --add-device process via a USB device with a crafted filesystem UUID. Additionally, the userName variable from the XML configuration is passed to the os.system() function in pamusb-agent, which invokes a shell.

Recommendations Update to version 0.8.7.